[Python-Dev] Fuzzing bugs: most bugs are closed (original) (raw)
Jesse Noller jnoller at gmail.com
Sat Jul 19 15:14:44 CEST 2008
- Previous message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Jul 19, 2008 at 7:23 AM, Victor Stinner <victor.stinner at haypocalc.com> wrote:
Hi,
I filled 14 issues about bugs found by fuzzing (see my other email "Play with fuzzing" for more informations). Most bugs are now closed, cool :-) Last bugs:
== Trivial open bugs == segfault on locale.gettext(None) - http://bugs.python.org/issue3302 - attached patch is trivial: fix the PyArgParseTuple() to block None value, and reject empty domain string for bindtextdomain() (to avoid strange error "OSError(0): success") invalid ref count on locale.strcoll() error - http://bugs.python.org/issue3303 - attached patch is trivial: add "if (rel1)" multiprocessing.Connection() doesn't check handle - http://bugs.python.org/issue3321 - multiprocessing.Connection(fd) doesn't check that fd is a valid file handle and so may crash on poll (the "evil" FDSET() call) - my patch add "|| fstat(handle, &statbuf)" to make sure that the file descriptor is valid == Complex open bugs == block operation on closed socket/pipe for multiprocessing - http://bugs.python.org/issue3311 - close() method sets the file handle to -1 but most methods don't check the handle and so may fail or crash. Especially poll() calls FDSET((SOCKET)conn->handle, &rfds); with handle=-1 => crash. - my patch creates a new MP error: "return MPCLOSEDFILE;", used if handle is INVALIDHANDLEVALUE to block operations (send, receive, poll) on closed files for socket and pipe. bugs in scanstringstr() and scanstringunicode() of json module - http://bugs.python.org/issue3322 - scanstring() function crashs if second argument is a big negative integer. There is no attached patch because I don't understand this function enough to fix it correctly, but I suggest to raise a ValueError if end is too small/big invalid object destruction in re.finditer() - or "PyObjectDEL inconsistency if pydebug option is used" - http://bugs.python.org/issue3299 - It's the most complex bug, I prefer to write a new email :-) == Need backport / port to python 3.0 == invalid call to PyMemFree() in fileioinit() - http://bugs.python.org/issue3304 - patch applied in Python 2.6 (trunk) but not in Python 3000: "i'm assuming that'll be merged into py3k automagically." wrote Gregory P. Smith missing lock release in BZ2Fileiternext() - http://bugs.python.org/issue3309 - patch applied in Python 2.6 but "Needs backporting to release25-maint." wrote Gregory P. Smith When all bugs will be closed, I will restart a fuzzing Python ;-) But I also tried with my patches and I was unable to find new bugs, great! Victor
Thank you Victor - I didn't want to change any underlying multiprocessing code until we had the test suite in a better state (which we do now). Now that beta 2 is out, I will address the multiprocessing ones asap.
One suggestion would be to include tests to prove the bugs is fixed if possible (to the patch), so we can add them to the suite. I know that that is not always possible, but it does help. I worry about making code changes without appropriate tests. If anything, a snippet of code "exploiting" the flaw may help generate a test case on my end. Thanks again for doing this.
-jesse
- Previous message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]